INET Denver considers Internet life without IPv4 addresses

After Asia and Europe, North America is next in line to run out of IP addresses.

On Wednesday, the Internet Society, the Rocky Mountain IPv6 Task Force, and others organized "INET Denver: IPv4 Exhaustion and the Path to IPv6." After seeing the same scene play out in Asia in 2011 and in Europe last year, the North American Internet industry seems well-aware that they're next in line to see their access to (almost) free and (fairly) plentiful IP addresses dry up. At this time, the American Registry for Internet Numbers (ARIN) has 2.44 blocks of 16.78 million IPv4 addresses left. This amount is predicted to last until April 2014.

After some introductory remarks, Geoff Huston, who works at ARIN's Asian counterpart APNIC, got the ball rolling with an overview of the state of IPv6. (The slides he used were very similar to these from November (PDF).) Huston argued that the telecoms industry has "a rich history of making very poor technology choices." This is the same industry that gave us ISDN and ATM—after all, that Internet thing and the packet switching that it's based on would never amount to anything. Huston went on to explain the environment in which IPv6 was created: IPv6 came about in order to create additional IP addresses to fuel the Internet once the some four billion that the existing Internet Protocol version 4 (IPv4) allows for are used up.

Running out of IPv4 addresses was predicted in some fashion as far back as two decades ago. But Huston showed how despite this, the IPv4 piggy bank now looks empty and it still managed to catch much of the industry by surprise. A big part of the problem was that until now, new technologies always allowed the network operators to save money. With IPv6, that's not the case. Huston talked about several transition strategies, but he doesn't find any that will provide relief before the shortage of IPv4 addresses becomes acute. However, there are ways to slice and dice IPv4 addresses so existing and new groups of users can continue to be connected to the IPv4 Internet. But the network operators that deploy these technologies now have an incentive to protect their investments in expensive equipment.

According to Huston, at some point during the next five years we have to make a choice. We can go down the path of Carrier Grade NATs (CGNs) and put an entire neighborhood behind a single shared IPv4 address. Or, we can bite the bullet and upgrade or replace all those devices (mostly in the last mile infrastructure) that are keeping us from moving towards IPv6. "And it's not yet clear which path the Internet will take!"

However, it seems that expecting the entire Internet—or even just the network operators providing access to it—to do the same thing is an exercise in futility. Surely there will be many CGNs deployed in the next five years, while the number of people with IPv6 connectivity will keep going up simultaneously. That crossroads will remain a busy place as people have to keep coming back to it and switch paths on an ongoing basis.

Huston finished with a few observations, including his belief that addresses should be used not hoarded. This brings us to the "Evaluation of Current Transfer Market" panel discussion. We've covered address trading before. Since then, it has become possible to transfer IPv4 addresses between ARIN and APNIC. A few blocks have been transferred from North American holders to organizations in Asia and the Pacific. The inter-region address trading can only happen when the two regions have compatible policies, which is currently not the case between ARIN and the RIPE NCC in Europe. That may or may not change, depending on the policy proposals that will be adopted by the RIPE NCC in the near future.

Two representatives from companies that facilitate address transfers were also part of the panel, and both advocated for fewer rules getting in the way of address transfers. ("IPv4 isn't exhausted, it's not even tired!") Interestingly, the five Regional Internet Registries aren't in charge of their own policies: these are created through a community-based policy development mechanism. Unfortunately, any adverse results, such as the creation of lots of small address blocks, affect the entire world.

After all the address trading discussions, Time Warner Cable's Lee Howard talked about the total cost of ownership (TCO) of CGN and IPv6. CGNs aren't cheap, and they break some applications leading to support calls. But these two costs are dwarfed by another undesired result: if their favorite application no longer works, some users may terminate their contract. As a result, the costs of deploying CGN are dominated by the lost revenue of customers that leave because CGN breaks their applications. Running IPv6 alongside IPv4 ("dual stack") requires new software and, for many users, a new cable or ADSL modem. The addition of IPv6 doesn't break anything, so there's no lost revenue. But again, it also doesn't solve the shortage of IPv4 addresses in the short-term.

Last but not least, there's the option of buying IPv4 addresses. Howard calculated that there's roughly half a billion abandoned or unused IPv4 addresses. These may enter the market with prices between $9 and $12 per address. Another half a billion may be underutilized and become available for between $9 and $16. Considering the costs of CGN deployment and/or dual stack, being able to buy IPv4 addresses for these prices would be attractive for ISPs. However, if that starts happening on a large scale, the unused and underutilized IPv4 addresses will still be used up by 2017. After that, IPv4 addresses would have to be bought for as much as $100 or more per address. That is simply untenable for ISPs.

We spoke with Richard Jimmerson, now IPv6 expert at the Internet Society but formerly at ARIN, who thinks we'll see the results of both good and bad planning in upcoming years. "Businesses that planned well will continue to grow without hiccups. The ones that planned badly will see hiccups with ongoing business new services. However, it's unknown how much of this we'll see on the outside." Unlike Huston, Jimmerson thinks we've already passed the fork in the road. "I believe the industry will do the right thing and deploy IPv6. If you'd asked five years ago, you'd have gotten a completely different answer. But people are onboard with IPv6 now."

Even if IPv4 is going to be around for many years, at some point, the old protocol may only be a shadow of its former self. "There are going to be reasons to do IPv6 earlier than expected," Jimmerson said. "For instance, IPv4 may be so spaghetti-strapped that performance is worse than IPv6." Spaghetti-strapped in this sense means being over-provisioned, so too many users have to share IPv4 resources with too much NAT and too many Band-Aids to be useful. At that point, IPv4 is nothing more than a legacy technology. But, Jimmerson noted, "I wish more energy went into IPv6 and less into making CGN work."

Unlike the last two years, the Internet Society won't be organizing an event like World IPv6 Day or World IPv6 Launch in 2013. As for the future, "it's up to industry players" to decide what possible future IPv6-related Web-wide events will entail.

If anything, INET Denver demonstrated once again that there are no easy answers when it comes to running out of limited resources. But—we can't avoid the question forever.

Iljitsch van Beijnum
Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain. Emaililjitsch.vanbeijnum@arstechnica.com//Twitter@iljitsch

150 Reader Comments

As a programmer I would love the end of NAT and as the family computer technician I would love to not have to port forward family routers. In reality I think it is just going to get worse because it is the path of least resistance.

I'm not in networking, but I believe ATM is still widely used, even for the internet. Anyway TWC since they control the endpoints on their network (rental modems, and the CMTS) should have it easier than the internet at large.

As a programmer I would love the end of NAT and as the family computer technician I would love to not have to port forward family routers. In reality I think it is just going to get worse because it is the path of least resistance.

But where would we be without wishful thinking?

That's an IPv6 fallacy: We do not want to get rid of NAT, because NAT doesn't just serve to provide more addresses, but to shield local devices from exposure to the global internet.

Yes, IPv6 makes so many IP addresses available that you can give every tv, thermostat, and toaster in your house its own globally valid IP address. But unless you provide your toaster with full-blown anti-virus and firewall software, you are much better of with local addresses behind a NAT.

No, I don't want NAT. I do want a stateful firewall which is what NAT gives you as a side effect. Router vendors need to provide that instead of NAT and there is no loss in security.

In Australia a lots going to depend on what happens when the Liberals(republicans/conservatives) win power.

They are talking about stopping the FTTH role out as part of the NBN and changing it to FTTN and using the existing quickly degrading cooper network for vdsl from the node.If that happens expect Australia to be stuck using CGN for the next 50 years for most connections.

Plus quickly selling off the NBN after crippling it with non expandable tech.

According to the Libs no one needs more than 25Mb vdsl and that apartment blocks don't need individual fibre for each apartment but should share a single connection to the node.

Can see that working really well for large apartment blocks with 30 - 100 apartments

That's an IPv6 fallacy: We do not want to get rid of NAT, because NAT doesn't just serve to provide more addresses, but to shield local devices from exposure to the global internet.

Yes, IPv6 makes so many IP addresses available that you can give every tv, thermostat, and toaster in your house its own globally valid IP address. But unless you provide your toaster with full-blown anti-virus and firewall software, you are much better of with local addresses behind a NAT.

Repeat after me, NAT is not a firewall. It just behaves a little like one in the default case. If you port-forward (or "DMZ") an IP address in your router than suddenly, you have no protection. People need to understand this.

So, you need IPv6 on your router where every device behind it is in the "DMZ" on the router, and then you need a firewall on your router that simply blocks all incoming packets unless you say otherwise, and when you do say otherwise, you can restrict the incoming packets by filter rather than simply letting *every* packet through like you have with NAT.

That said, the concept of a single IP address being used by many, many households should surely have the media industry banging down every senators' door and demanding IPv6 be mandated in law!!

As a programmer I would love the end of NAT and as the family computer technician I would love to not have to port forward family routers. In reality I think it is just going to get worse because it is the path of least resistance.

But where would we be without wishful thinking?

That's an IPv6 fallacy: We do not want to get rid of NAT, because NAT doesn't just serve to provide more addresses, but to shield local devices from exposure to the global internet.

Yes, IPv6 makes so many IP addresses available that you can give every tv, thermostat, and toaster in your house its own globally valid IP address. But unless you provide your toaster with full-blown anti-virus and firewall software, you are much better of with local addresses behind a NAT.

I've been in the networking business since the early 90's and I am amazed at the number of people like you that think that NAT provides security. I'll bet you think all ICMP is bad too. You probably think that transparent firewalls are more secure that routed ones. Sadly, you fall into the "Security thru obscurity" camp.

Total FUD.

NAT only provides a solution to overcome a lack of publicly routable addresses. Your firewall provides you the same security with or without nat. That firewall can be running on your laptop or it could be a simple D-LINK or an expensive Cisco/Juniper/Checkpoint/<insert favorite vendor> .

Removing NAT makes a lot of things easier without giving up any security such as troubleshooting (you know the real end points), applications just work, firewalls/routers are more efficient. Removing NAT gives you true peer to peer conectivity. You can still have anonimity in IPV6 with dhcp ( a slash 64 DHCP pool is huge).

Tech for small clec/ISP here. Ultimately the destination isn't either CGN or ipv6... It's both. For customers that want it, we already provide full dual stack v6 capability (we do require that they demonstrate stateful packet filtering capabilities on their CPE though). However, we guess that our existing v4 allocation will run dry in the next 3 years or so. Then we'll probably start converting customers to cgn. We're thinking about routing folks a /26 of private v4 space so they can avoid being double nat'd and setting up a web portal that they can use to manage ~100 port forwards. It isn't pretty but the amount of devices and customer routing equipment out there all but dictate it, even for folks like us who are eagerly deploying v6...

Tech for small clec/ISP here. Ultimately the destination isn't either CGN or ipv6... It's both. For customers that want it, we already provide full dual stack v6 capability (we do require that they demonstrate stateful packet filtering capabilities on their CPE though). However, we guess that our existing v4 allocation will run dry in the next 3 years or so. Then we'll probably start converting customers to cgn. We're thinking about routing folks a /26 of private v4 space so they can avoid being double nat'd and setting up a web portal that they can use to manage ~100 port forwards. It isn't pretty but the amount of devices and customer routing equipment out there all but dictate it, even for folks like us who are eagerly deploying v6...

Than can you honestly say that you are not becoming part of the problem? It is the owners of businesses like yours that will ultimately drive change. As a aconsumer, if my provider tells me that my old equipment needs upgraded for compatibility reasons, and provides me with a strong case to do so, and it is not cost prohibitive, than it is not a problem for me to comply, especially when so much is at stake. If you have any influence, you would simply draw a line in the sand and say that you are taking the high road.

Tech for small clec/ISP here. Ultimately the destination isn't either CGN or ipv6... It's both. For customers that want it, we already provide full dual stack v6 capability (we do require that they demonstrate stateful packet filtering capabilities on their CPE though). However, we guess that our existing v4 allocation will run dry in the next 3 years or so. Then we'll probably start converting customers to cgn. We're thinking about routing folks a /26 of private v4 space so they can avoid being double nat'd and setting up a web portal that they can use to manage ~100 port forwards. It isn't pretty but the amount of devices and customer routing equipment out there all but dictate it, even for folks like us who are eagerly deploying v6...

Sounds like a pain in the ass for anyone who wants to use well-known ports. Of course, since you do have ipv6 stack you can just as easily tell anyone who wants one of those ports that they have to switch to v6 config and equipment.

Once everything switches over to IPv6, how does one directly access another device? It is fairly easy to write down a number like 192.168.1.1. An IPv6 number is significantly longer and being hexadecimal is also harder to remember (at least with my current experience).

Want to fix this problem? Add a one cent annual tax on all US IPv4 addresses, but leave IPv6 addresses untaxed. ISPs will start moving over. You can also make the tax rate double every year.

Yeah, because getting politicians more involved in the affairs of the Internet is a good idea.

You know how the ISPs would respond? Drop everyone behind CGN... behind a single IPv4 address each. 1 cent for 2013. Even doubling every year, it'll be many, many years before it's an issue for them (far further down the road than anyone would care). And it will be a smart move, because the US government, if they get their fingers into that pie, they're not going to want to let go... they'll quickly switch over to taxing IPv6 if that's where people move.

Once everything switches over to IPv6, how does one directly access another device? It is fairly easy to write down a number like 192.168.1.1. An IPv6 number is significantly longer and being hexadecimal is also harder to remember (at least with my current experience).

DNS?

Also, more commonly-accessed devices are usually not going to be DHCP or autoconfigured, so you can make them shorter.

For instance, my laptop is 2604:xxxx:xx::xxxx:daff:fedf:9d02, but my router is 2604:xxxx:xx::1 and my NAS is 2604:xxxx:xx::3. But that doesn't even really matter since both of them are in an internal DNS domain.

Once everything switches over to IPv6, how does one directly access another device? It is fairly easy to write down a number like 192.168.1.1. An IPv6 number is significantly longer and being hexadecimal is also harder to remember (at least with my current experience).

DNS. You don't have the ip addresses for arstechnica.com memorized, do you?

In Australia a lots going to depend on what happens when the Liberals(republicans/conservatives) win power.

They are talking about stopping the FTTH role out as part of the NBN and changing it to FTTN and using the existing quickly degrading cooper network for vdsl from the node.If that happens expect Australia to be stuck using CGN for the next 50 years for most connections.

Plus quickly selling off the NBN after crippling it with non expandable tech.

According to the Libs no one needs more than 25Mb vdsl and that apartment blocks don't need individual fibre for each apartment but should share a single connection to the node.

Can see that working really well for large apartment blocks with 30 - 100 apartments

It is well known in the industry that fiber is cheaper to operate that copper and that is pays itself off in "relatively" short time.

Higher density, less electricity, more reliable, less maintenance, higher speeds, "future proof" for the foreseeable future.

There are no downsides to fiber other than a relatively small initial cost.

For a lot of users, CGN isn't a problem. The usual stuff they do to download files, music, watch video, play games (they may not work right now but there is no reason why XBox etc can't sort that out).

For some users CGN is a problem, but if you look at who those users are - the reality is that ISPs won't care about those users, they will just charge them more to not be part of the CGN.

People seeding torrents, running web and email servers, running p2p services, running VPNs are not favourites of ISPs anyway, they don't even want their customers to do half of that stuff (hence blocking server ports, shaping p2p traffic) and if they do want to allow it they will want them to pay a premium.

You might not like it but ISPs are the ones making this decision and there is a lot of upside for them in going this route.

In some ways if the ISPs could be trusted to not rip is off then it wouldn't be a bad way to go - most people don't want to do those things anyway so they could live behind CGN, other users that did need it could ask to be outside the CGN and we would still save tons of IPv4 addresses, but obviously they can't be trusted and they are no doubt rubbing their hands at such a great opportunity even now.

In Australia a lots going to depend on what happens when the Liberals(republicans/conservatives) win power.

They are talking about stopping the FTTH role out as part of the NBN and changing it to FTTN and using the existing quickly degrading cooper network for vdsl from the node.If that happens expect Australia to be stuck using CGN for the next 50 years for most connections.

Plus quickly selling off the NBN after crippling it with non expandable tech.

According to the Libs no one needs more than 25Mb vdsl and that apartment blocks don't need individual fibre for each apartment but should share a single connection to the node.

Can see that working really well for large apartment blocks with 30 - 100 apartments

It is well known in the industry that fiber is cheaper to operate that copper and that is pays itself off in "relatively" short time.

Higher density, less electricity, more reliable, less maintenance, higher speeds, "future proof" for the foreseeable future.

There are no downsides to fiber other than a relatively small initial cost.

Those libs are either lying or ignorant.

They aren't so much ignorant as completely moronic. Unfortunately they'll probably win the next election anyway, because other than the NBN, Labor (the other party) aren't much better.

Not only is cable cheaper in the long run, but as an investment in infrastructure the end-result for the economy should be huge and they are selling off the infrastructure once it's done. So the net cost might actually make the governement money but even if they can only get $50 (that's fifty dollars) they'll come out MILES ahead because of the boost this would give to the tech industry in this country (where the internet is so bad we think regional US areas are living in the future).

Tech for small clec/ISP here. Ultimately the destination isn't either CGN or ipv6... It's both. For customers that want it, we already provide full dual stack v6 capability (we do require that they demonstrate stateful packet filtering capabilities on their CPE though). However, we guess that our existing v4 allocation will run dry in the next 3 years or so. Then we'll probably start converting customers to cgn. We're thinking about routing folks a /26 of private v4 space so they can avoid being double nat'd and setting up a web portal that they can use to manage ~100 port forwards. It isn't pretty but the amount of devices and customer routing equipment out there all but dictate it, even for folks like us who are eagerly deploying v6...

Than can you honestly say that you are not becoming part of the problem? It is the owners of businesses like yours that will ultimately drive change. As a aconsumer, if my provider tells me that my old equipment needs upgraded for compatibility reasons, and provides me with a strong case to do so, and it is not cost prohibitive, than it is not a problem for me to comply, especially when so much is at stake. If you have any influence, you would simply draw a line in the sand and say that you are taking the high road.

Yokem didn't create ipv4 exhaustion, if he tells all his customers that they need to upgrade to ipv6 to stay with his ISP but they can move to anoer ISP on their existing equipment then a lot of them will leave, trying to force consumers to upgrade wouldn't do anything other than drive him out of business. CGN plus the managed port forwards is a decent option plus maybe users that want an ipv4 address can pay for it (having a small charge would stop people frivolously requesting it), it's a bad situation but people have been encouraged to upgrade to ipv6 for years and it just hasn't worked, what is the better alternative at this point?

The last of 0 is always reserved, no matter the mask and 255 reserved for any octet.

Example of the Class A network of 10.0.0.0

To further illustrate, a few examples of valid and invalid addresses are listed below:

What on earth are you quoting? 10.0.0.0/8 has over 65,000 valid .0 host addresses in it, if you configured it as a single network (which would never actually work, but I digress). If you divided 10.0.0.0/8 into 65536 /24s (which your example seems to do) then you'd have no valid .0 host addresses.

In Australia a lots going to depend on what happens when the Liberals(republicans/conservatives) win power.

They are talking about stopping the FTTH role out as part of the NBN and changing it to FTTN and using the existing quickly degrading cooper network for vdsl from the node.If that happens expect Australia to be stuck using CGN for the next 50 years for most connections.

Plus quickly selling off the NBN after crippling it with non expandable tech.

According to the Libs no one needs more than 25Mb vdsl and that apartment blocks don't need individual fibre for each apartment but should share a single connection to the node.

Can see that working really well for large apartment blocks with 30 - 100 apartments